Description
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, a Denial of Service (DoS) vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse() function (inherited from the bundled jsbn library). When modInverse() is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU. Version 1.4.0 patches the issue.
Published: 2026-03-27
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

The vulnerability originates from an infinite loop in the BigInteger.modInverse() method of the node‑forge library. When modInverse() is called with a zero value, the Extended Euclidean Algorithm enters a state with no exit condition, causing the process to hang and consume 100% CPU. The loop never terminates, thus the affected process becomes unresponsive and the application or host suffers a denial of service.

Affected Systems

This defect affects installations of the DigitalBazaar Forge (node‑forge) library prior to version 1.4.0. Any Node.js project that relies on older releases of this JavaScript TLS implementation—including applications running on Windows, Linux, or macOS—is potentially exposed.

Risk and Exploitability

The vulnerability has a CVSS score of 7.5, indicating a high impact if exploited. The EPSS score is less than 1 %, pointing to a low likelihood of widespread exploitation, and it is not listed in the CISA KEV catalog. The attack vector is inferred to be local or remote depending on whether the offending cryptographic operation can be triggered by untrusted input; an adversary could cause the DoS by requesting node‑forge to compute a modular inverse of zero, which may occur through malicious payloads or misconfiguration.

Generated by OpenCVE AI on April 8, 2026 at 15:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade node-forge to version 1.4.0 or newer, which removes the infinite loop issue.
  • If an update cannot be performed immediately, modify any code paths that call modInverse() to validate that the operand is non‑zero before invocation, or replace the call with a safe alternative.
  • Confirm that no older versions of node‑forge remain in the production environment, using lock files or dependency checks to prevent unintended downgrades.

Generated by OpenCVE AI on April 8, 2026 at 15:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5m6q-g25r-mvwx Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input
History

Wed, 08 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:digitalbazaar:forge:*:*:*:*:*:node.js:*:*

Mon, 30 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Digitalbazaar
Digitalbazaar forge
Vendors & Products Digitalbazaar
Digitalbazaar forge

Sat, 28 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-606
References
Metrics threat_severity

None

 threat_severity

Important

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, a Denial of Service (DoS) vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse() function (inherited from the bundled jsbn library). When modInverse() is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU. Version 1.4.0 patches the issue.
Title Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input
Weaknesses CWE-835
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Digitalbazaar Forge
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-30T15:38:12.388Z

Reserved: 2026-03-24T15:10:05.682Z

Link: CVE-2026-33891

cve-icon Vulnrichment

Updated: 2026-03-30T15:38:08.073Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T21:17:25.817

Modified: 2026-04-08T13:50:28.880

Link: CVE-2026-33891

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-27T20:43:37Z

Links: CVE-2026-33891 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:00:53Z

Weaknesses